01-03-2018 08:22 AM - edited 03-12-2019 04:52 AM
Hello,
I need to correctly establish the "SSL trust" for two different domains on a single ASA.
My goal is to use SSL AnyConnect VPN with certificate authentication without security warnings.
Two different certificate authorities are used:
Employees from Division-A have only installed root certificate from CA-CompanyDivision-A.
Employees from Division-B have only installed root certificate from CA-CompanyDivision-B.
The ASA's identity certificate is signed by CA-CompanyDivision-A.
Since the employees from Division-B have only installed root certificate of CA-CompanyDivision-B, they will receive security warning as they don't have installed root certificate of CA-CompanyDivision-A, therefore they don't trust the root certificate of CA-CompanyDivision-A.
Is there any way to configure this scenario that the employees from Division-B would trust the ASA's identity certificate without the need to install root certificate of CA-CompanyDivision-A on them?
Many thanks.
01-03-2018 08:45 AM
I don't think you can do what you're asking. The Division B employees would have to trust the issuing CA somehow or another. An ASA can only have a single active identity certificate.
Most commonly we would use a public CA that's trusted by the client OS (and/or is in Firefox's browser store since it doesn't use the OS' certificate store).
If that's not possible then you could push the Division A certificate as a trusted root CA to the Division B computers using a Active Directory (AD) Group Policy Object (GPO). Of course that's assuming an AD environment and Windows PCs.
01-03-2018 11:40 AM
Hello Marvin,
thank you for your answer.
The problem is that the identity certificate is issued by the internal certificate authority - CA-CompanyDivision-A, therefore employees from Division-B have to somehow trust CA-CompanyDivision-A root certificate. And as this identity certificate is not issued by a well-known PKI player, this might be an issue.
Is there any way to push the CA-CompanyDivision-B root certificate on the trustpoint that represents the identity certificate, which was issued by CA-CompanyDivision-A?
Is there any way to chain CA-CompanyDivision-B root certificate and the identity certificate that was issued by CA-CompanyDivision-A?
I highly doubt that, but I would like to ask you anyway.
Many thanks!
01-04-2018 12:19 AM
01-04-2018 01:37 AM
Hello Mohammed,
yeah, I thought so. Unfortunately, CA-CompanyDivision-B is not the subordinate certificate authority of CA-CompanyDivision-A.
It is an existing solution that now somehow works and I need to figure out how does it work since I will need to migrate the current configuration to new hardware. I'll just discuss this with the customer.
Many thanks for your time.
Cheers,
Jan
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide